[go: up one dir, main page]

WO2013041295A1 - Détection et blocage de connexion sortante au niveau d'un ordinateur client - Google Patents

Détection et blocage de connexion sortante au niveau d'un ordinateur client Download PDF

Info

Publication number
WO2013041295A1
WO2013041295A1 PCT/EP2012/065393 EP2012065393W WO2013041295A1 WO 2013041295 A1 WO2013041295 A1 WO 2013041295A1 EP 2012065393 W EP2012065393 W EP 2012065393W WO 2013041295 A1 WO2013041295 A1 WO 2013041295A1
Authority
WO
WIPO (PCT)
Prior art keywords
ssl
client computer
server
reputation
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2012/065393
Other languages
English (en)
Inventor
Jarno NIEMELÄ
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WithSecure Oyj
Original Assignee
F Secure Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F Secure Oyj filed Critical F Secure Oyj
Publication of WO2013041295A1 publication Critical patent/WO2013041295A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Definitions

  • the present invention relates to a method of detecting and blocking an outbound connection at a client computer.
  • the present invention relates to a method of detecting and blocking a malicious SSL connection at a client computer.
  • malware is short for malicious software and is used to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Many computer devices, such as desktop personal computers (PCs), laptops, personal data assistants (PDAs) and mobile phones can be at risk from malware.
  • PCs personal computers
  • PDAs personal data assistants
  • mobile phones can be at risk from malware.
  • Detecting malware is often challenging, as malware may be designed to be difficult to detect, often employing technologies that deliberately hide the presence of malware on a system.
  • Malware often uses backdoor components (“backdoors”) to communicate with a central command and control (C&C) server from which it can receive instructions.
  • Backdoors used by attackers tend to contain binary code that is unique for each instance, or at least the binary code has a very low prevalence. These backdoors can therefore be difficult to detect.
  • One method of detecting backdoor components (and subsequently the associated malware) is to detect for low prevalence binary code.
  • binary code with low prevalence can also be found in non- malicious software and software components, for example a locally compiled .net executable, and so the detection of this alone is not sufficient to conclude that a backdoor has been found.
  • the method comprises identifying, at a network firewall level, an outbound SSL connection being set up at the client computer, detecting an SSL certificate associated with the SSL connection and sending a request to a central server for reputation information on the SSL certificate, at the central server, determining reputation information in dependence upon the SSL certificate, providing said reputation information from the central server to the client computer; and using the reputation information at the client computer to determine whether or not to block the connection.
  • a hook may be used to monitor outbound communications from the client computer in order to identify the outbound SSL connection being set up.
  • the SSL certificate may be detected by intercepting it from the plaintext portion of an initial handshake carried out to set up the SSL connection.
  • the request sent to the central server may include the SSL certificate, or a hash thereof.
  • the step of determining the reputation information at the server may comprise performing on-the-fly analysis of the SSL certificate, or hash thereof, and/or searching a database of known SSL certificate reputation information
  • the reputation information may comprise a rating assigned to the SSL certificate.
  • the step of using the reputation information at the client computer to determine whether or not to block the connection may comprise comparing the reputation information with security level settings on the client computer.
  • a method of detecting and blocking a malicious SSL connection at a client computer comprises identifying, at a network firewall level, an SSL connection that is set up without an SSL certificate being exchanged, and blocking the identified SSL connection.
  • a method of protecting a client computer from malware which malware attempts to establish an SSL connection with an external server.
  • the method comprises carrying out the steps of any of the previous aspects of the invention, and, for any connections that are blocked, flagging up the application that initiated the SSL connection as malware.
  • the method may further comprise placing the flagged application in quarantine.
  • a client computer comprising a hooking unit for monitoring outbound communications from the client computer and detecting SSL certificates from handshakes for initiating SSL connections, a security settings handler for sending reputation information requests to a reputation server and receiving reputation information from said reputation server, and for comparison of the received reputation information with security settings on the client computer, and a connection blocking unit for blocking any SSL connections where the corresponding SSL certificates' reputations do not pass the requirements of the security settings.
  • the client computer may be a personal computer, a mobile device, or any other internet-connected device.
  • a reputation server or server cluster for serving a multiplicity of client computers.
  • the central server or server cluster comprises a database of SSL certificate reputations, a reputation determination unit for searching the database to find the SSL certificate reputations that correspond with reputation information requests being received from one or more client computers, and a transmitter for sending the reputation information back to the respective client computers, said reputation information comprising the SSL certificate reputations for the SSL certificates indicated in the received information requests.
  • the reputation determination unit may also be used for performing on-the-fly analysis of the SSL certificates indicated in the received information requests.
  • a non-transitory computer readable medium storing a computer program which, when run on a computer device, causes the computer device to behave as a client computer according to the fourth aspect of the invention.
  • a non-transitory computer readable medium storing a computer program which, when run on a server, causes the server to behave as a reputation server according to the fifth aspect of the invention.
  • a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
  • the computer program code comprises code for identifying, at a network firewall level, an outbound SSL connection being set up at the client computer, code for detecting an SSL certificate associated with the SSL connection, code for sending a request to a central server for reputation information on the SSL certificate, and code for using reputation information received at the client computer to determine whether or not to block the connection.
  • Figure 1 is a representation of the first stages of setting up an SSL connection
  • Figure 2 is a flow diagram that illustrates a method of controlling SSL connections at a client computer according to an embodiment of the present invention
  • Figure 3 is a flow diagram showing the steps of a method according to an embodiment of the present invention.
  • Figure 4 is a schematic representation of a computer system according to an embodiment of the present invention.
  • FIG. 1 is a representation of the first stages of setting up an SSL connection (the "handshake") between a client computer and a server. The steps are as follows:
  • the client sends a communication request to the server.
  • the server responds and includes its SSL certificate.
  • the client generates a pre-master secret, which is a random number that can be used to generate an encryption key.
  • the client then encrypts the pre-master encryption key and sends it to the server.
  • a symmetric encryption key is calculated using the pre-master secret.
  • the pre-master secret is decrypted and used to calculate the same symmetric encryption key.
  • A6 Encrypted messages indicating that the handshake is finished are exchanged between the server and the client computer.
  • the solid arrows at steps A1 and A2 represent communications between the client computer and the C&C server which are sent in plaintext (i.e. they are not encrypted).
  • the initial steps of the handshake are carried out in plaintext because an encrypted session cannot be started until the certificate has been exchanged, and the encryption key that is to be used has been generated. Only once the handshake is complete will a component able to decipher any encrypted data that it receives.
  • FIG. 1 is a flow diagram that illustrates a method of detecting and blocking malicious SSL connections at a client computer. The steps of the method are:
  • B3. Send the SSL certificate, or a hash thereof, to a central reputation server.
  • B4. Provide SSL certificate reputation information from the central reputation server to the client computer.
  • step B5 Use the SSL certificate reputation information at the client computer to determine whether or not to block the connection.
  • Hooking is a technique used in computer programming to intercept communications.
  • the communication is hooked at the network firewall level of the client computer.
  • the initial plaintext exchange within the SSL connection handshake allows the hook to detect, i.e. "sniff", the certificate from the traffic stream in Step B2.
  • the method is typically carried out by security software that is installed on the client computer and that is provided by a security software provider.
  • the central reputation server is a web server or web server cluster run by the security software provider, and comprises a database on which is stored known certificate reputation information.
  • the central reputation server can provide certificate reputation information for certificates that are known by retrieving the known reputation from the database, and can also provide certificate reputation information for certificates that are unknown by performing on-the-fly analysis (for example, by automatic data-mining) of the certificate or certificate hash received from a client computer. Once the analysis has been performed on the unknown certificate, it can be entered, along with its newly determined reputation information, into the database of known certificate reputation information for future reference.
  • the database can therefore be populated both manually, i.e. by an analyst who seeks out unknown certificates to analyse and enter in the database, and automatically, i.e. by analysis performed on-the-fly on unknown certificates received from client computers running the security software.
  • the certificate reputation information comprises a rating for each certificate.
  • the analysis required to determine the reputation of an SSL certificate can be carried out in a number of different ways, and it is expected that a combination of one or more these will be used not only when creating entries in the database, but also when the on-the-fly analysis is performed. Some examples of different types of analysis will now be described.
  • the simplest way to determine a reputation for an SSL certificate is to have a human analyst analyse the binary for known malicious backdoors and add the certificate that is sent from the client computer to the reputation database and assign it a bad rating.
  • the analyst may also use the known backdoor within a controlled environment, such as a sandbox, to obtain the C&C server's SSL certificate.
  • the C&C server's certificate can then also be added to the reputation database with a bad rating.
  • SSL certificate properties For example, all SSL certificates that are not issued by a trusted Certificate Authority (CA), e.g. VeriSignTM or GlobalSignTM, are given poor ratings. Similarly, certificates that are not signed or that are not associated with the domain name where the server is located are also given poor ratings.
  • CA trusted Certificate Authority
  • a further method is to perform checks on the company name and address information contained within the certificate. Certificates that are used to initiate SSL connections that allow malware to communicate with C&C servers typically have no structure in the company name and address fields, with only random text being entered. A certificate found to have random text entered in the company name and address fields in this way will be assigned a bad rating.
  • FIG. 1 is a flow diagram showing the steps of the method according to an embodiment of the present invention. The steps are as follows:
  • a component on the client computer tries to connect to an external server that uses an SSL certificate to encrypt the traffic.
  • the external server responds to the request and includes its SSL certificate.
  • the security software detects the SSL connection attempt at the network firewall level and sniffs the certificate from traffic stream.
  • the security software sends the certificate, or a hash of the certificate, to the reputation server.
  • the reputation server determines the reputation information for the SSL certificate and sends it to the security software at the client computer.
  • the reputation information for the SSL certificate is used by the security software to determine whether the connection should be blocked.
  • step C6 the rating in the SSL certificate reputation information can be checked against the security level settings within the security software. If the reputation information passes the requirements of the security level settings, then communication over the SSL connection with the external server is allowed to continue. If, however, the reputation information does not pass the requirements of the security level settings, then it is deduced that a backdoor component has been detected and the connection with the external server is blocked.
  • An SSL connection that is established using a certificate with a particularly bad rating may automatically be blocked, and the application that initialised the connection quarantined immediately.
  • An SSL connection that is established using a certificate with a low rating may cause the security software to block the connection and may further send details of the corresponding application to the provider of the security software for further analysis.
  • malware authors In order to make malware networks more resistant to discovery and counter-measures, malware authors often makes use of a distributed command and control in the form of a fast flux network.
  • a fast flux network there is no single C&C server. Instead there is an ever changing network of C&C servers and/or proxies (and, therefore, IP addresses) that can perform the same role as a single C&C server. This can cause problems when trying to detect the command and control for malware using standard techniques (for example IP-based access control lists).
  • standard techniques for example IP-based access control lists.
  • each of the C&C servers within a fast flux network will share the same SSL certificate, and so the method described above will still be effective in the detection of SSL connections between a backdoor component on a client computer and a fast flux C&C network.
  • the example above describes the method when only the external server uses an SSL certificate to establish the connection.
  • the client computer also uses an SSL certificate for authenticating with the external server. It is highly likely that the SSL certificate used by a malware backdoor component on one client computer will be used by all instances of the same backdoor component installed on other client computers that are generated from the same source, for example from the same malware infection server.
  • an SSL certificate is known to be used by malware backdoors on client computers to communicate with C&C servers, it can be entered into the database of known SSL certificate reputation information. Therefore, if said known SSL certificate is detected when monitoring the outbound communication traffic at a client computer, it can be deduced that a malware backdoor component has been detected, and the connection can be blocked.
  • the security software detects (or "sniffs") the outbound SSL certificate from the traffic stream, rather than the inbound SSL certificate from the external server.
  • the security software is able to detect both outbound and inbound SSL certificates.
  • malware author will become aware that the security software monitors the outbound and inbound traffic and detects the SSL certificates exchanged during handshakes in order to detect backdoor components and block malware connections.
  • An obvious alternative that the malware author can use to evade the security software's detection method is to build the C&C server's SSL certificate into malware binary. By doing this, the backdoor component will be able to establish a secure connection with the C&C server whilst avoiding the plaintext part of the handshake when the SSL certificate is exchanged.
  • This approach is very unusual and would not be used by "clean" (non-malware) applications, making the approach itself easily detectable.
  • the security software can, therefore, be programmed to monitor the traffic stream and detect any secure connections that are set up without an SSL certificate being exchanged. If such a secure connection is detected, then it is blocked.
  • FIG. 4 is a schematic representation of a computer system according to an embodiment of the present invention.
  • the computer system comprises at least one client computer 1 connected to a reputation server 2 over a network 3 such as the Internet or a LAN.
  • the client computer 1 can be implemented as a combination of computer hardware and software.
  • the client computer 1 comprises a memory 4, a processor 5 and a transceiver 6.
  • the memory 4 stores the various programs/executable files that are implemented by the processor 5.
  • the memory 4 also provides a data storage unit 7 for any required data such as SSL certificate reputation data, white lists, black lists etc.
  • the programs/executable files stored in the memory 4, and implemented by the processor 5, include a hooking unit 8, a security settings handler 9 and connection blocking unit 10, all of which can be sub- units of an anti-virus unit 1 1 .
  • the transceiver 6 is used to communicate with the central anti-virus server 2 over the network 3.
  • the reputation server 2 is typically operated by the provider of the anti-virus unit 1 1 that is run on the computer 1 . Alternatively, the reputation server 2 may be that of a network administrator or supervisor, the computer 1 being part of the network for which the supervisor is responsible.
  • the reputation server 2 can be implemented as a combination of computer hardware and software.
  • the reputation server 2 comprises a memory 12, a processor 13, a transceiver 14 and a database 15.
  • the memory 12 stores the various programs/executable files that are implemented by the processor 13.
  • the programs/executable files stored in the memory 12, and implemented by the processor 13, include a reputation determination unit 16, which can be a sub-unit of an anti-virus unit 19.
  • the programs/units implemented at the reputation server 2 are capable of interfacing and co-operating with the programs implemented at the computer system 1 .
  • the transceiver 14 is used to communicate with the computer system 1 over the network 3.
  • the database 15 stores the SSL certificate reputation data, and may also store other relevant data such as malware definition data, heuristic analysis rules, white lists, black lists etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de détection et de blocage d'une connexion SSL malveillante au niveau d'un ordinateur client. Le procédé consiste à identifier, à un niveau de pare-feu de réseau, une connexion SSL sortante qui est établie au niveau de l'ordinateur client; à détecter un certificat SSL associé à la connexion SSL; à envoyer une requête à un serveur central demandant des informations de réputation sur le certificat SSL; au niveau du serveur central, à déterminer des informations de réputation en fonction du certificat SSL; à fournir lesdites informations de réputation du serveur central à l'ordinateur client; et à utiliser les informations de réputation au niveau de l'ordinateur client pour déterminer s'il faut ou non bloquer la connexion.
PCT/EP2012/065393 2011-09-23 2012-08-07 Détection et blocage de connexion sortante au niveau d'un ordinateur client Ceased WO2013041295A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/242,472 US20130081129A1 (en) 2011-09-23 2011-09-23 Outbound Connection Detection and Blocking at a Client Computer
US13/242,472 2011-09-23

Publications (1)

Publication Number Publication Date
WO2013041295A1 true WO2013041295A1 (fr) 2013-03-28

Family

ID=46640680

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/065393 Ceased WO2013041295A1 (fr) 2011-09-23 2012-08-07 Détection et blocage de connexion sortante au niveau d'un ordinateur client

Country Status (2)

Country Link
US (1) US20130081129A1 (fr)
WO (1) WO2013041295A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106740174A (zh) * 2016-11-23 2017-05-31 浙江大学 一种利用电车受电弓的电动车辆无线充电系统及方法

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8560604B2 (en) 2009-10-08 2013-10-15 Hola Networks Ltd. System and method for providing faster and more efficient data communication
US9210161B2 (en) * 2011-12-13 2015-12-08 Business Objects Software Limited Authentication certificates as source of contextual information in business intelligence processes
US9425966B1 (en) * 2013-03-14 2016-08-23 Amazon Technologies, Inc. Security mechanism evaluation service
US9241044B2 (en) 2013-08-28 2016-01-19 Hola Networks, Ltd. System and method for improving internet communication by using intermediate nodes
US9407644B1 (en) * 2013-11-26 2016-08-02 Symantec Corporation Systems and methods for detecting malicious use of digital certificates
US9191403B2 (en) 2014-01-07 2015-11-17 Fair Isaac Corporation Cyber security adaptive analytics threat monitoring system and method
WO2015134034A1 (fr) 2014-03-07 2015-09-11 Hewlett-Packard Development Company, L.P. Sécurité de réseau pour un canal chiffré en fonction de la réputation
US9413782B1 (en) * 2014-03-31 2016-08-09 Juniper Networks, Inc. Malware detection using internal malware detection operations
US9537841B2 (en) 2014-09-14 2017-01-03 Sophos Limited Key management for compromised enterprise endpoints
US9965627B2 (en) 2014-09-14 2018-05-08 Sophos Limited Labeling objects on an endpoint for encryption management
US10122687B2 (en) 2014-09-14 2018-11-06 Sophos Limited Firewall techniques for colored objects on endpoints
US9854000B2 (en) 2014-11-06 2017-12-26 Cisco Technology, Inc. Method and apparatus for detecting malicious software using handshake information
US11023846B2 (en) 2015-04-24 2021-06-01 United Parcel Service Of America, Inc. Location-based pick up and delivery services
US11057446B2 (en) 2015-05-14 2021-07-06 Bright Data Ltd. System and method for streaming content from multiple servers
US10135792B2 (en) * 2015-08-25 2018-11-20 Anchorfree Inc. Secure communications with internet-enabled devices
US10176325B1 (en) * 2016-06-21 2019-01-08 Symantec Corporation System and method for dynamic detection of command and control malware
US11038869B1 (en) 2017-05-12 2021-06-15 F5 Networks, Inc. Methods for managing a federated identity environment based on application availability and devices thereof
US10966091B1 (en) * 2017-05-24 2021-03-30 Jonathan Grier Agile node isolation using packet level non-repudiation for mobile networks
US11190374B2 (en) 2017-08-28 2021-11-30 Bright Data Ltd. System and method for improving content fetching by selecting tunnel devices
EP3805958B1 (fr) 2017-08-28 2023-12-20 Bright Data Ltd. Procédé pour améliorer l'extraction de contenu par sélection de dispositifs tunnel
US10666640B2 (en) * 2017-12-20 2020-05-26 Cisco Technology, Inc. Semi-active probing framework to gather threat intelligence for encrypted traffic and learn about devices
GB2569567B (en) * 2017-12-20 2020-10-21 F Secure Corp Method of detecting malware in a sandbox environment
US10778642B2 (en) * 2017-12-23 2020-09-15 Mcafee, Llc Decrypting transport layer security traffic without man-in-the-middle proxy
EP3780557B1 (fr) 2019-02-25 2023-02-15 Bright Data Ltd. Système et procédé pour mécanisme de relance d'extraction d'url
EP4383686A1 (fr) 2019-04-02 2024-06-12 Bright Data Ltd. Système et procédé de gestion de service de récupération d'url non directe
US11349981B1 (en) 2019-10-30 2022-05-31 F5, Inc. Methods for optimizing multimedia communication and devices thereof
US12413571B2 (en) * 2020-12-03 2025-09-09 Bharanishunkkar SHANMUGAVEL System and method for securing and resolving internet protocol address
EP4009160B1 (fr) 2020-12-07 2025-02-05 F5, Inc. Procédés de déploiement d'une application à travers de multiples domaines informatiques et dispositifs associés

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006094228A2 (fr) * 2005-03-02 2006-09-08 Markmonitor, Inc. Mise en place de politiques de fiducie

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003079626A1 (fr) * 2002-03-20 2003-09-25 Research In Motion Limited Systeme et procede de verification de l'etat de certificats numeriques
FI20030104A0 (fi) * 2003-01-23 2003-01-23 Stonesoft Oyj Ilkivaltaisten yhteyksien ilmaisu ja estäminen
US7778194B1 (en) * 2004-08-13 2010-08-17 Packeteer, Inc. Examination of connection handshake to enhance classification of encrypted network traffic
US7725930B2 (en) * 2005-03-30 2010-05-25 Microsoft Corporation Validating the origin of web content
US7634811B1 (en) * 2005-05-20 2009-12-15 Symantec Corporation Validation of secure sockets layer communications
US7730539B2 (en) * 2005-10-21 2010-06-01 Microsoft Corporation Authenticating third party products via a secure extensibility model
US7614084B2 (en) * 2007-10-02 2009-11-03 Kaspersky Lab Zao System and method for detecting multi-component malware

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006094228A2 (fr) * 2005-03-02 2006-09-08 Markmonitor, Inc. Mise en place de politiques de fiducie

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KIPP E B HICKMAN NETSCAPE COMMUNICATIONS CORP: "The SSL Protocol; draft-hickman-netscape-ssl-00.txt", 19950401, 1 April 1995 (1995-04-01), XP015014259, ISSN: 0000-0004 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106740174A (zh) * 2016-11-23 2017-05-31 浙江大学 一种利用电车受电弓的电动车辆无线充电系统及方法

Also Published As

Publication number Publication date
US20130081129A1 (en) 2013-03-28

Similar Documents

Publication Publication Date Title
US20130081129A1 (en) Outbound Connection Detection and Blocking at a Client Computer
US12348538B2 (en) Intrusion detection using a heartbeat
US12074904B2 (en) Using reputation to avoid false malware detections
US11882136B2 (en) Process-specific network access control based on traffic monitoring
US9654489B2 (en) Advanced persistent threat detection
US10652273B2 (en) Mitigation of anti-sandbox malware techniques
US8677493B2 (en) Dynamic cleaning for malware using cloud technology
US8875285B2 (en) Executable code validation in a web browser
US11197160B2 (en) System and method for rogue access point detection
US20240414129A1 (en) Automated fuzzy hash based signature collecting system for malware detection
US20250240313A1 (en) Large language model (llm) powered detection reasoning solution

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12745684

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12745684

Country of ref document: EP

Kind code of ref document: A1